package org.keycloak.adapters.as7;

import java.io.IOException;
import java.util.HashSet;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.jboss.logging.Logger;
import org.keycloak.SkeletonKeyPrincipal;
import org.keycloak.SkeletonKeySession;
import org.keycloak.adapters.ResourceMetadata;
import org.keycloak.adapters.as7.config.CatalinaAdapterConfigLoader;
import org.keycloak.adapters.config.RealmConfiguration;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.representations.adapters.action.LogoutAction;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.StreamUtil;

/* loaded from: input_file:org/keycloak/adapters/as7/KeycloakAuthenticatorValve.class */
public class KeycloakAuthenticatorValve extends FormAuthenticator implements LifecycleListener {
    protected RealmConfiguration realmConfiguration;
    private static final Logger log = Logger.getLogger(KeycloakAuthenticatorValve.class);
    protected UserSessionManagement userSessionManagement = new UserSessionManagement();
    protected AdapterConfig adapterConfig;
    protected ResourceMetadata resourceMetadata;

    public void start() throws LifecycleException {
        super.start();
        this.context.addLifecycleListener(this);
    }

    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        if (lifecycleEvent.getType() == "after_start") {
            init();
        }
    }

    protected void init() {
        CatalinaAdapterConfigLoader catalinaAdapterConfigLoader = new CatalinaAdapterConfigLoader(this.context);
        catalinaAdapterConfigLoader.init(true);
        this.resourceMetadata = catalinaAdapterConfigLoader.getResourceMetadata();
        this.adapterConfig = catalinaAdapterConfigLoader.getAdapterConfig();
        this.realmConfiguration = catalinaAdapterConfigLoader.getRealmConfiguration();
        setNext(new AuthenticatedActionsValve(this.adapterConfig, getNext(), getContainer(), getController()));
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        if (this.adapterConfig.isCors() && new CorsPreflightChecker(this.adapterConfig).checkCorsPreflight(request, response)) {
            return;
        }
        if (!request.getDecodedRequestURI().endsWith("k_logout")) {
            super.invoke(request, response);
            return;
        }
        JWSInput verifyAdminRequest = verifyAdminRequest(request, response);
        if (verifyAdminRequest == null) {
            return;
        }
        remoteLogout(verifyAdminRequest, response);
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        try {
            if (bearer(false, request, httpServletResponse)) {
                return true;
            }
            if (!checkLoggedIn(request, httpServletResponse)) {
                if (!this.adapterConfig.isBearerOnly()) {
                    oauth(request, httpServletResponse);
                }
                return false;
            }
            if (request.getSessionInternal().getNote("org.apache.catalina.authenticator.REQUEST") == null) {
                return true;
            }
            if (restoreRequest(request, request.getSessionInternal())) {
                log.debug("restoreRequest");
                return true;
            }
            log.debug("Restore of original request failed");
            httpServletResponse.sendError(400);
            return false;
        } catch (LoginException e) {
            return false;
        }
    }

    protected JWSInput verifyAdminRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String readString = StreamUtil.readString(httpServletRequest.getInputStream());
        if (readString == null) {
            log.warn("admin request failed, no token");
            httpServletResponse.sendError(403, "no token");
            return null;
        }
        JWSInput jWSInput = new JWSInput(readString);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, this.resourceMetadata.getRealmKey());
        } catch (Exception e) {
        }
        if (z) {
            return jWSInput;
        }
        log.warn("admin request failed, unable to verify token");
        httpServletResponse.sendError(403, "verification failed");
        return null;
    }

    protected void remoteLogout(JWSInput jWSInput, HttpServletResponse httpServletResponse) throws IOException {
        LogoutAction logoutAction;
        try {
            log.debug("->> remoteLogout: ");
            logoutAction = (LogoutAction) JsonSerialization.readValue(jWSInput.getContent(), LogoutAction.class);
        } catch (Exception e) {
            log.warn("failed to logout", e);
            httpServletResponse.sendError(500, "Failed to logout");
        }
        if (logoutAction.isExpired()) {
            log.warn("admin request failed, expired token");
            httpServletResponse.sendError(400, "Expired token");
            return;
        }
        if (!this.resourceMetadata.getResourceName().equals(logoutAction.getResource())) {
            log.warn("Resource name does not match");
            httpServletResponse.sendError(400, "Resource name does not match");
            return;
        }
        String user = logoutAction.getUser();
        if (user != null) {
            log.debug("logout of session for: " + user);
            this.userSessionManagement.logout(user);
        } else {
            log.debug("logout of all sessions");
            this.userSessionManagement.logoutAll();
        }
        httpServletResponse.setStatus(204);
    }

    protected boolean bearer(boolean z, Request request, HttpServletResponse httpServletResponse) throws LoginException, IOException {
        return new CatalinaBearerTokenAuthenticator(this.realmConfiguration.getMetadata(), z, this.adapterConfig.isUseResourceRoleMappings()).login(request, httpServletResponse);
    }

    protected boolean checkLoggedIn(Request request, HttpServletResponse httpServletResponse) {
        SkeletonKeySession skeletonKeySession;
        if (request.getSessionInternal() == null || request.getSessionInternal().getPrincipal() == null) {
            return false;
        }
        log.debug("remote logged in already");
        request.setUserPrincipal(request.getSessionInternal().getPrincipal());
        request.setAuthType("OAUTH");
        Session sessionInternal = request.getSessionInternal();
        if (sessionInternal == null || (skeletonKeySession = (SkeletonKeySession) sessionInternal.getNote(SkeletonKeySession.class.getName())) == null) {
            return true;
        }
        request.setAttribute(SkeletonKeySession.class.getName(), skeletonKeySession);
        return true;
    }

    protected void oauth(Request request, HttpServletResponse httpServletResponse) throws IOException {
        ServletOAuthLogin servletOAuthLogin = new ServletOAuthLogin(this.realmConfiguration, request, httpServletResponse, request.getConnector().getRedirectPort());
        String code = servletOAuthLogin.getCode();
        if (code == null) {
            String error = servletOAuthLogin.getError();
            if (error != null) {
                httpServletResponse.sendError(400, "OAuth " + error);
                return;
            } else {
                saveRequest(request, request.getSessionInternal(true));
                servletOAuthLogin.loginRedirect();
                return;
            }
        }
        if (servletOAuthLogin.resolveCode(code)) {
            SkeletonKeyToken token = servletOAuthLogin.getToken();
            HashSet hashSet = new HashSet();
            if (this.adapterConfig.isUseResourceRoleMappings()) {
                SkeletonKeyToken.Access resourceAccess = token.getResourceAccess(this.resourceMetadata.getResourceName());
                if (resourceAccess != null) {
                    hashSet.addAll(resourceAccess.getRoles());
                }
            } else {
                SkeletonKeyToken.Access realmAccess = token.getRealmAccess();
                if (realmAccess != null) {
                    hashSet.addAll(realmAccess.getRoles());
                }
            }
            GenericPrincipal createPrincipal = new CatalinaSecurityContextHelper().createPrincipal(this.context.getRealm(), new SkeletonKeyPrincipal(token.getSubject(), (String) null), hashSet);
            Session sessionInternal = request.getSessionInternal(true);
            sessionInternal.setPrincipal(createPrincipal);
            sessionInternal.setAuthType("OAUTH");
            sessionInternal.setNote(SkeletonKeySession.class.getName(), new SkeletonKeySession(servletOAuthLogin.getTokenString(), token, this.realmConfiguration.getMetadata()));
            String subject = token.getSubject();
            log.debug("userSessionManage.login: " + subject);
            this.userSessionManagement.login(sessionInternal, subject);
        }
    }
}
